First published: Mon Oct 21 2019(Updated: )
In FusionPBX up to v4.5.7, the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Fusionpbx Fusionpbx | <=4.5.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-16981.
The title of the vulnerability is 'In FusionPBX up to v4.5.7 the file app\conference_profiles\conference_profile_params.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.'
The severity of CVE-2019-16981 is medium with a severity value of 6.1.
CVE-2019-16981 affects FusionPBX up to version 4.5.7.
CVE-2019-16981 can be fixed by applying the patch provided in the GitHub commit: https://github.com/fusionpbx/fusionpbx/commit/021ff8f8e51cd1254d19e88e7aedc4b795067f8d